Skip to main content

Product Video Gallery WooCommerce CVE-2026-10104

| EUVDEUVD-2026-41269 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Wordfence GHSA-rv7q-hqv4-5324
4.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

PR:H reflects mandatory shop manager auth; UI:R reflects victim must visit page; AC:L because injection itself is straightforward once authenticated.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:18 vuln.today
CVE Published
Jul 02, 2026 - 08:33 cve.org
MEDIUM 4.4

DescriptionCVE.org

The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain shop manager credentials
Delivery
Authenticate to WordPress admin
Exploit
Inject XSS payload via custom_thumbnail field
Execution
Payload persisted in product database
Persist
Victim visits affected product page
Impact
Script executes in victim's browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with shop manager-level access or higher on the target WordPress site - this is a non-trivial privilege level, not a guest or subscriber role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.4 (Medium) is calibrated by three significant mitigating factors in the vector: network attack vector (AV:N) is offset by high attack complexity (AC:H) and high privilege required (PR:H, meaning shop manager or above). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or legitimately holds a WooCommerce shop manager account logs into the WordPress admin panel, navigates to a product's video gallery settings, and enters a JavaScript payload (e.g., a cookie-stealer or credential harvester) as the custom_thumbnail value. No public POC has been identified, but the exploit requires only standard XSS injection technique - any visitor who subsequently views that product page will have the script silently executed in their browser, potentially exposing session cookies or enabling phishing overlays.
Remediation A patch commit has been recorded in the plugin's SVN repository (changeset 3591727 per the reference at plugins.trac.wordpress.org), indicating an upstream fix exists; however, the exact patched release version number is not independently confirmed from the available data - administrators should update to the latest available version beyond 1.5.1.8 via the WordPress plugin repository and verify the changelog. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy